]>
gitweb.michael.orlitzky.com - apply-default-acl.git/blob - run-tests.sh
9 # Exit with this when a test fails.
12 # We use a few system users in the tests. If these users aren't
13 # present, we exit with a different (non-EXIT_FAILURE).
16 # Define the users that we'll use in the tests below. We store the
17 # names as variables to avoid repeating them everywhere.
19 # WARNING: These must be in alphabetical order; otherwise the getfacl
20 # output will not match.
24 # Check to see if the above users exist. If not, bail.
25 for idx
in $( seq 0 $((${#USERS[@]} - 1)) ); do
26 id
"${USERS[idx]}" >/dev
/null
2>&1
28 if [ $?
-ne $EXIT_SUCCESS ]; then
29 echo "Error: missing test user ${USERS[idx]}." 1>&2
30 exit $EXIT_MISSING_USERS
35 BIN
=$(realpath src/apply-default-acl)
37 # The directory where we'll do all the ACL manipulation.
40 # Will auto-increment.
44 # Remove any ACLs on our test directory and remove its contents.
45 setfacl
--remove-all --recursive "${TESTDIR}"
46 chmod 755 "${TESTDIR}"
51 if [[ "${ACTUAL}" == "${EXPECTED}" ]]; then
52 echo "Success (#${TESTNUM})"
55 echo "Failure (#${TESTNUM})"
56 echo 'Expected result:'
57 echo '================'
59 echo '================'
61 echo '================'
63 echo '================'
68 # Start by removing and recreating the 'acl' directory.
73 # When using a minimal ACL, the default user, group, and other
74 # permissions should all be propagated to the mode bits.
76 TARGET
="${TESTDIR}"/foo
79 setfacl
-d -m user
::r
-- "${TESTDIR}"
80 setfacl
-d -m group
::r
-- "${TESTDIR}"
81 setfacl
-d -m other
::r
-- "${TESTDIR}"
92 ACTUAL
=$(getfacl --omit-header "${TARGET}")
95 # Do the same thing as the last test, except with an extended ACL.
97 setfacl
-d -m user
::r
-- "${TESTDIR}"
98 setfacl
-d -m group
::r
-- "${TESTDIR}"
99 setfacl
-d -m other
::r
-- "${TESTDIR}"
100 setfacl
-d -m user
:${USERS[0]}:rwx
"${TESTDIR}"
102 chmod 777 "${TARGET}"
115 ACTUAL
=$(getfacl --omit-header "${TARGET}")
119 # A file shared by a group, should still be group-writable
123 chmod 644 "${TARGET}"
124 setfacl
-d -m group
:${USERS[0]}:rwx
"${TESTDIR}"
130 group:${USERS[0]}:rwx #effective:rw-
137 ACTUAL
=$(getfacl --omit-header "${TARGET}")
141 # Same test as before except with a directory.
143 setfacl
-d -m group
:${USERS[0]}:rwx
"${TESTDIR}"
145 chmod 755 "${TARGET}"
151 group:${USERS[0]}:rwx
156 default:group:${USERS[0]}:rwx
163 ACTUAL
=$(getfacl --omit-header "${TARGET}")
167 # With no default, things are left alone.
170 chmod 744 "${TARGET}"
182 ACTUAL
=$(getfacl --omit-header "${TARGET}")
187 # Since the default ACL will grant r-x to group/other, they will wind
191 chmod 744 "${TARGET}"
192 setfacl
-d -m user
:${USERS[0]}:rwx
"${TESTDIR}"
206 ACTUAL
=$(getfacl --omit-header "${TARGET}")
210 # Some named entries can be granted execute permissions as the result
214 chmod 744 "${TARGET}"
215 setfacl
-m user
:${USERS[1]}:rw
"${TARGET}"
216 # If we don't add 'x' to the mask here, nobody can execute the file.
217 # setfacl will update the mask for us under most circumstances, but
218 # note that we didn't create an entry with an 'x' bit using setfacl --
219 # therefore, setfacl won't unmask 'x' for us.
220 setfacl
-m mask
::rwx
"${TARGET}"
221 setfacl
-d -m user
:${USERS[0]}:rwx
"${TESTDIR}"
222 setfacl
-d -m user
:${USERS[1]}:rwx
"${TESTDIR}"
236 ACTUAL
=$(getfacl --omit-header "${TARGET}")
240 # We should not retain any entries that aren't in the default.
243 chmod 644 "${TARGET}"
244 setfacl
-m user
:${USERS[1]}:rw
"${TARGET}"
245 setfacl
-d -m user
:${USERS[0]}:rwx
"${TESTDIR}"
250 user:${USERS[0]}:rwx #effective:rw-
258 ACTUAL
=$(getfacl --omit-header "${TARGET}")
262 # A slightly modified test #1 to make sure it works right.
264 TARGET
="${TESTDIR}"/foo
266 chmod 777 "${TARGET}"
267 setfacl
-d -m user
::r
-- "${TESTDIR}"
278 ACTUAL
=$(getfacl --omit-header "${TARGET}")
282 # If the default ACL mask denies execute, we should respect that
283 # regardless of the existing execute permissions.
285 TARGET
="${TESTDIR}"/foo
287 chmod 777 "${TARGET}"
288 setfacl
-m user
:${USERS[0]}:rwx
"${TESTDIR}"
289 setfacl
-d -m user
:${USERS[0]}:rwx
"${TESTDIR}"
290 setfacl
-d -m mask
::rw
- "${TESTDIR}"
295 user:${USERS[0]}:rwx #effective:rw-
296 group::r-x #effective:r--
303 ACTUAL
=$(getfacl --omit-header "${TARGET}")
308 # The --recursive mode should work normally if the argument is a
309 # normal file. See Test #1.
311 TARGET
="${TESTDIR}"/foo
312 setfacl
-d -m user
::r
-- "${TESTDIR}"
313 setfacl
-d -m group
::r
-- "${TESTDIR}"
314 setfacl
-d -m other
::r
-- "${TESTDIR}"
316 chmod 777 "${TARGET}"
317 $BIN --recursive "${TARGET}"
327 ACTUAL
=$(getfacl --omit-header "${TARGET}")
331 # The --recursive mode should work recursively.
333 TARGET
="${TESTDIR}"/foo
335 touch "${TARGET}"/baz
336 mkdir -p "${TARGET}"/bar
337 touch "${TARGET}"/bar
/quux
338 setfacl
-d -m user
::rwx
"${TESTDIR}"
339 setfacl
-d -m group
::r
-- "${TESTDIR}"
340 setfacl
-d -m other
::r
-- "${TESTDIR}"
341 chmod -R 777 "${TARGET}"
342 $BIN --recursive "${TARGET}"
352 ACTUAL
=$(getfacl --omit-header "${TARGET}"/bar/quux)
356 # The --recursive mode should work recursively. This time
357 # check a directory, and pass the short command-line flag.
359 TARGET
="${TESTDIR}"/foo
361 touch "${TARGET}"/baz
362 mkdir -p "${TARGET}"/bar
363 touch "${TARGET}"/bar
/quux
364 setfacl
-d -m user
::rwx
"${TESTDIR}"
365 setfacl
-d -m group
::r
-- "${TESTDIR}"
366 setfacl
-d -m other
::r
-- "${TESTDIR}"
367 chmod -R 777 "${TARGET}"
381 ACTUAL
=$(getfacl --omit-header "${TARGET}"/bar)
385 # Test double application on a directory.
388 TARGET
="${TESTDIR}"/baz
390 chmod 644 "${TARGET}"
391 setfacl
-d -m user
:${USERS[0]}:rwx
"${TESTDIR}"
403 default:user:${USERS[0]}:rwx
411 ACTUAL
=$(getfacl --omit-header "${TARGET}")
415 # Same as previous test, with 755 initial perms.
418 TARGET
="${TESTDIR}"/baz
420 chmod 755 "${TARGET}"
421 setfacl
-d -m user
:${USERS[0]}:rwx
"${TESTDIR}"
433 default:user:${USERS[0]}:rwx
441 ACTUAL
=$(getfacl --omit-header "${TARGET}")
445 # Same as previous two tests, only with a file.
448 TARGET
="${TESTDIR}"/foo
450 chmod 644 "${TARGET}"
451 setfacl
-d -m user
:${USERS[0]}:rwx
"${TESTDIR}"
458 user:${USERS[0]}:rwx #effective:rw-
465 ACTUAL
=$(getfacl --omit-header "${TARGET}")
469 # User-executable files should not wind up exec-masked.
471 TARGET
="${TESTDIR}"/foo
473 chmod 700 "${TARGET}"
474 setfacl
-d -m user
:${USERS[0]}:rwx
"${TESTDIR}"
487 ACTUAL
=$(getfacl --omit-header "${TARGET}")
491 # Group-executable files should not wind up exec-masked.
493 TARGET
="${TESTDIR}"/foo
495 chmod 670 "${TARGET}"
496 setfacl
-d -m user
:${USERS[0]}:rwx
"${TESTDIR}"
509 ACTUAL
=$(getfacl --omit-header "${TARGET}")
513 # Other-executable files should not wind up exec-masked.
515 TARGET
="${TESTDIR}"/foo
517 chmod 607 "${TARGET}"
518 setfacl
-d -m user
:${USERS[0]}:rwx
"${TESTDIR}"
531 ACTUAL
=$(getfacl --omit-header "${TARGET}")
536 # Test #16's setup repeated with the --no-exec-mask flag.
539 TARGET
="${TESTDIR}"/foo
541 chmod 644 "${TARGET}"
542 # The directory allows execute for user, group, and other, so the file
543 # should actually inherit them regardless of its initial mode when the
544 # --no-exec-mask flag is passed.
545 setfacl
-d -m user
:${USERS[0]}:rwx
"${TESTDIR}"
547 $BIN --no-exec-mask "${TARGET}"
558 ACTUAL
=$(getfacl --omit-header "${TARGET}")
563 # Test #20 repeated recursively to make sure the flags play nice
566 PARENT_DIR
="${TESTDIR}"/foo
567 TARGET
="${PARENT_DIR}"/bar
568 mkdir "${PARENT_DIR}"
570 chmod 644 "${TARGET}"
571 setfacl
-d -m user
:${USERS[0]}:rwx
"${TESTDIR}"
573 $BIN --recursive --no-exec-mask "${PARENT_DIR}"
584 ACTUAL
=$(getfacl --omit-header "${TARGET}")
588 # Make sure a mask with an execute bit doesn't count as being
592 TARGET
="${TESTDIR}"/foo
594 chmod 644 "${TARGET}"
595 setfacl
-m user
::rw
"${TARGET}"
596 setfacl
-m group
::rw
"${TARGET}"
597 # Even though the mask has an 'x' bit, nobody can execute it.
598 setfacl
-m mask
::rwx
"${TARGET}"
599 setfacl
-d -m user
::rwx
"${TESTDIR}"
600 setfacl
-d -m group
::rwx
"${TESTDIR}"
612 ACTUAL
=$(getfacl --omit-header "${TARGET}")
616 # Same as test #2, except we pass multiple files on the command
617 # line and check the result of the first one.
619 setfacl
-d -m user
::r
-- "${TESTDIR}"
620 setfacl
-d -m group
::r
-- "${TESTDIR}"
621 setfacl
-d -m other
::r
-- "${TESTDIR}"
622 setfacl
-d -m user
:${USERS[0]}:rwx
"${TESTDIR}"
623 DUMMY
="${TESTDIR}/dummy"
627 chmod 777 "${TARGET}"
628 $BIN "${TARGET}" "${DUMMY}"
640 ACTUAL
=$(getfacl --omit-header "${TARGET}")
645 # Same as the previous test with the argument order switched.
647 setfacl
-d -m user
::r
-- "${TESTDIR}"
648 setfacl
-d -m group
::r
-- "${TESTDIR}"
649 setfacl
-d -m other
::r
-- "${TESTDIR}"
650 setfacl
-d -m user
:${USERS[0]}:rwx
"${TESTDIR}"
651 DUMMY
="${TESTDIR}/dummy"
655 chmod 777 "${TARGET}"
656 $BIN "${DUMMY}" "${TARGET}"
668 ACTUAL
=$(getfacl --omit-header "${TARGET}")
672 # If we call apply-default-acl on a single file that does not exist,
673 # we get the expected error.
675 ACTUAL
=$( "${BIN}" test/nonexistent 2>&1 )
676 EXPECTED
="test/nonexistent: No such file or directory"
679 # Same as the previous test, but with --recursive.
681 ACTUAL
=$( "${BIN}" --recursive test/nonexistent 2>&1 )
682 EXPECTED
="test/nonexistent: No such file or directory"
685 # If we call apply-default-acl on more than one file, it should report any
686 # that don't exist (but proceed to operate on the others).
688 DUMMY1
="${TESTDIR}/dummy1"
689 DUMMY2
="${TESTDIR}/dummy2"
690 touch "${DUMMY1}" "${DUMMY2}"
691 ACTUAL
=$( "${BIN}" "${DUMMY1}" test/nonexistent "${DUMMY2}" 2>&1 )
692 EXPECTED
="test/nonexistent: No such file or directory"
696 # Ensure that symlinks are not followed.
698 TARGET
="${TESTDIR}/foo"
699 LINK2TARGET
="${TESTDIR}/foo-sym"
701 ln -s "${TARGET#${TESTDIR}/}" "${LINK2TARGET}"
702 setfacl
--default --modify user
:${USERS[0]}:rwx
"${TESTDIR}"
703 "${BIN}" "${LINK2TARGET}"
704 ACTUAL
=$( getfacl --omit-header "${TARGET}" )
715 # Ensure that symlinks are not followed in subdirectories
718 TARGET
="${TESTDIR}/bar"
720 mkdir "${TESTDIR}/foo"
721 LINK2TARGET
="${TESTDIR}/foo/bar-sym"
722 ln -s "../bar" "${LINK2TARGET}"
723 setfacl
--default --modify user
:${USERS[0]}:rwx
"${TESTDIR}/foo"
724 EXPECTED
=$(getfacl --omit-header "${TARGET}")
725 "${BIN}" --recursive "${TESTDIR}/foo"
726 ACTUAL
=$( getfacl --omit-header "${TARGET}" )
730 # Ensure that hard links are ignored.
732 TARGET
="${TESTDIR}/foo"
733 LINK2TARGET
="${TESTDIR}/bar"
735 ln "${TARGET}" "${LINK2TARGET}"
736 setfacl
--default --modify user
:${USERS[0]}:rwx
"${TESTDIR}"
737 "${BIN}" "${LINK2TARGET}"
738 ACTUAL
=$( getfacl --omit-header "${TARGET}" )
749 # We should be able to run the tool with a relative path from within a
750 # directory that contains a symlink, so long as the relative path
751 # doesn't contain one.
753 TARGET
="${TESTDIR}/foo/bar"
754 LINK2TARGET
="${TESTDIR}/baz"
755 mkdir -p $(dirname "${TARGET}")
757 ln -s foo
"${TESTDIR}/baz"
758 setfacl
--default --modify user
:${USERS[0]}:rw
$(dirname "${TARGET}")
759 pushd "${TESTDIR}/baz" > /dev
/null
762 ACTUAL
=$( getfacl --omit-header "${TARGET}" )
775 # Ensure that symlinks in non-terminal path components are not followed.
777 TARGET
="${TESTDIR}/foo/bar/baz"
778 LINK2FOO
="${TESTDIR}/quux"
779 mkdir -p $(dirname "${TARGET}")
781 ln -s foo
"${LINK2FOO}"
782 setfacl
--default --modify user
:${USERS[0]}:rw
$(dirname "${TARGET}")
783 EXPECTED
=$(getfacl --omit-header "${TARGET}")
784 "${BIN}" "${LINK2FOO}/bar/baz"
785 ACTUAL
=$( getfacl --omit-header "${TARGET}" )
789 # Test that our exit code succeeds on a single, normal path.
791 TARGET
="${TESTDIR}/foo"
793 setfacl
--default --modify user
:${USERS[0]}:rw
"${TESTDIR}"
800 # Test that our exit code fails on a symlink.
802 TARGET
="${TESTDIR}/bar"
803 touch "${TESTDIR}/foo"
804 ln -s foo
"${TARGET}"
805 setfacl
--default --modify user
:${USERS[0]}:rw
"${TESTDIR}"
812 # The previous test should fail, even if we use --recursive.
814 TARGET
="${TESTDIR}/bar"
815 touch "${TESTDIR}/foo"
816 ln -s foo
"${TARGET}"
817 setfacl
--default --modify user
:${USERS[0]}:rw
"${TESTDIR}"
818 "${BIN}" --recursive "${TARGET}"
824 # Test the return value for nonexistent paths.
826 TARGET
="${TESTDIR}/foo"
827 "${BIN}" "${TARGET}" &>/dev
/null
833 # Test that one "failure" exit code overrides two "successes"
834 # We need a default ACL on ${TESTDIR} because otherwise we do
835 # nothing, successfully, on the symlink path.
837 mkdir "${TESTDIR}/foo"
838 ln -s foo
"${TESTDIR}/bar"
839 mkdir "${TESTDIR}/baz"
840 setfacl
--default --modify user
:${USERS[0]}:rw
"${TESTDIR}"
841 "${BIN}" "${TESTDIR}/foo" "${TESTDIR}/bar" "${TESTDIR}/baz"
847 # The failure should prevail when using --recursive, too.
849 mkdir "${TESTDIR}/foo"
850 ln -s foo
"${TESTDIR}/bar"
851 mkdir "${TESTDIR}/baz"
852 "${BIN}" --recursive "${TESTDIR}"
858 # We should get "Not a directory" if we stick a trailing slash on the
859 # end of the path to a file.
861 TARGET
="${TESTDIR}/foo"
863 ACTUAL
=$( "${BIN}" "${TARGET}/" 2>&1 )
864 EXPECTED
="${TARGET}/: Not a directory"
868 # We should be a no-op on files contained in directories that have no
871 TARGET
="${TESTDIR}/foo"
873 setfacl
--modify user
:${USERS[0]}:rw
"${TARGET}"
874 EXPECTED
=$( getfacl --omit-header "${TARGET}" )
876 ACTUAL
=$( getfacl --omit-header "${TARGET}" )
880 # We should be a no-op on directories contained in directories that
881 # have no default ACL (same as the previous test, but with a directory).
883 TARGET
="${TESTDIR}/foo"
885 setfacl
--modify user
:${USERS[0]}:rw
"${TARGET}"
886 setfacl
--default --modify user
:${USERS[0]}:rw
"${TARGET}"
887 EXPECTED
=$( getfacl --omit-header "${TARGET}" )
888 "${BIN}" --recursive "${TARGET}"
889 ACTUAL
=$( getfacl --omit-header "${TARGET}" )
893 # Make sure we descend into subdirectories that don't have default ACLs.
895 TARGET
="${TESTDIR}/foo/bar/baz"
896 mkdir -p $(dirname "${TARGET}")
898 touch "${TARGET}-direct"
899 setfacl
--default --modify user
:${USERS[0]}:rw
$(dirname "${TARGET}")
900 "${BIN}" "${TARGET}-direct"
901 EXPECTED
=$( getfacl --omit-header "${TARGET}-direct" )
902 "${BIN}" --recursive "${TESTDIR}"
903 ACTUAL
=$( getfacl --omit-header "${TARGET}" )
907 # Ensure that we don't get "error" results for symlinks encountered
908 # during a recursive traversal.
911 mkdir "${TARGET}/foo"
912 mkdir "${TARGET}/bar"
913 ln -s "../foo" "${TARGET}/bar/baz"
914 setfacl
--default --modify user
:${USERS[0]}:rw
"${TARGET}"
916 "${BIN}" --recursive "${TARGET}"